Interesting data cPanel users know about the server

postcd

• November 15, 2016 10:42

The cPanel user can see alot of data For example these are readable to the cPanel user on standard CentOS/Apache/WHM server: /etc/named.conf + /etc/dovecot/sni.conf - hosted domains /etc/shadow + /etc/trueuserowners - cpanel user list /etc/fstab - filesystems, like ramdisks /etc/localaliases - e-mail of the root/nobody user /etc/cron.d/ - cronjobs contents if have more than 700 permission (ie 644) /etc/my.cnf - mysql configuration file /usr/local/apache/conf/modsec2.user.conf - mod security rules /etc/sysconfig/network-scripts/ - ips used on the server + phpinfo() - many other details about apache, php, mysql

• 

  cPanelMichael

  • November 15, 2016 16:00

  Hello, This is answered on your previous thread: Prevent cpanel user to list server root directories and write into /tmp You can also find more information on the jailed environment at: VirtFS - Jailed Shell - Documentation - cPanel Documentation Thank you.

  0
• 

  postcd

  • November 16, 2016 14:55

  the files i mentioned can be read without SSH access enabled on that particular cpanel. it can be read thru a php script while following php functions are disabled on that particular cpanel: disable_functions: show_source, system, passthru, shell_exec, popen, proc_open, allow_url_fopen i assume virtfs can't change this.

  0
• 

  cPanelMichael

  • November 16, 2016 18:53

  it can be read thru a php script

  
  Information on how to prevent this is documented at: PHP Security Concepts - cPanel Knowledge Base - cPanel Documentation In particular, the following option is useful: PHP open_basedir Tweak - Documentation - cPanel Documentation Thank you.

  0
• 

  postcd

  • November 17, 2016 02:07

  Thank you i went thru the pages you linked and applied all the things. RE: must manually specify the open_basedir directive in the appropriate php.ini file.", and i am using suPHP and i think im happy with it. So i would need to setup some script that would append open_basedit for each cpanel to the global php.ini, only solution? i mean like: [PATH=/home/newcpanel/pubic_html] open_basedir = /home/newcpanel/pubic_html
  ? RE:

  0
• 

  cPanelMichael

  • November 17, 2016 21:45

  Hello, You may find the following thread helpful if you'd like to use suPHP: suPHP and open_basedir together, for improved security. That said, have you considered using DSO with Mod_Ruid2? Thank you.

  0

Please sign in to leave a comment.